CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,392)
page 267 of 270| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10442 | 0.00 | — | 0.00 | Oct 16, 2019 | A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||
| CVE-2019-10439 | 0.00 | — | 0.00 | Oct 16, 2019 | A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||
| CVE-2019-10438 | 0.00 | — | 0.00 | Oct 16, 2019 | A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials… | |||
| CVE-2019-10409 | 0.00 | — | 0.00 | Sep 25, 2019 | A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates. | |||
| CVE-2019-16097 | — | 0.00 | — | 0.94 | Sep 8, 2019 | core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without… | ||
| CVE-2019-15953 | — | 0.00 | — | 0.01 | Sep 5, 2019 | An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests.… | ||
| CVE-2019-10387 | 0.00 | — | 0.00 | Aug 7, 2019 | A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,… | |||
| CVE-2019-10389 | 0.00 | — | 0.00 | Aug 7, 2019 | A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server. | |||
| CVE-2019-10377 | 0.00 | — | 0.00 | Aug 7, 2019 | A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins. | |||
| CVE-2019-10369 | 0.00 | — | 0.00 | Aug 7, 2019 | A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified… | |||
| CVE-2019-10187 | 0.00 | — | 0.00 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. | |||
| CVE-2019-10357 | 0.00 | — | 0.00 | Jul 31, 2019 | A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries. | |||
| CVE-2019-10344 | 0.00 | — | 0.00 | Jul 31, 2019 | Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins. | |||
| CVE-2019-10184 | 0.00 | — | 0.01 | Jul 25, 2019 | undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. | |||
| CVE-2019-10354 | 0.00 | — | 0.00 | Jul 17, 2019 | A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. | |||
| CVE-2019-10342 | 0.00 | — | 0.00 | Jul 11, 2019 | A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||
| CVE-2019-10341 | 0.00 | — | 0.00 | Jul 11, 2019 | A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing… | |||
| CVE-2019-10339 | — | 0.00 | — | 0.00 | Jun 11, 2019 | A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. | ||
| CVE-2019-10333 | 0.00 | — | 0.00 | Jun 11, 2019 | Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances. | |||
| CVE-2019-10332 | 0.00 | — | 0.00 | Jun 11, 2019 | A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials. |
- CVE-2019-10442Oct 16, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2019-10439Oct 16, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2019-10438Oct 16, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…
- CVE-2019-10409Sep 25, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates.
- CVE-2019-16097Sep 8, 2019risk 0.00cvss —epss 0.94
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without…
- CVE-2019-15953Sep 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests.…
- CVE-2019-10387Aug 7, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,…
- CVE-2019-10389Aug 7, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.
- CVE-2019-10377Aug 7, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.
- CVE-2019-10369Aug 7, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified…
- CVE-2019-10187Jul 31, 2019risk 0.00cvss —epss 0.00
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
- CVE-2019-10357Jul 31, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.
- CVE-2019-10344Jul 31, 2019risk 0.00cvss —epss 0.00
Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins.
- CVE-2019-10184Jul 25, 2019risk 0.00cvss —epss 0.01
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.
- CVE-2019-10354Jul 17, 2019risk 0.00cvss —epss 0.00
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
- CVE-2019-10342Jul 11, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2019-10341Jul 11, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…
- CVE-2019-10339Jun 11, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials.
- CVE-2019-10333Jun 11, 2019risk 0.00cvss —epss 0.00
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances.
- CVE-2019-10332Jun 11, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials.